Prepare for Installation
Applies To: Opalis 6.3
Perform the following tasks before you install Opalis Integration Server to make sure that the installation will be successful.
Preparing the Action Server and Management Server Computers
Opalis Integration Server automates tasks across the entire server architecture. This type of automation requires high levels of access permissions. It is imperative to restrict access to the action server and management server computers such that only authorized administrators can alter the settings on these computers. To prepare the computers that will host these services, we recommend the following:
Restrict interactive login access to the Local Administrators group.
Add only the minimum necessary user accounts or groups to the Local Administrators group. For more information about configuring user permissions, see the Microsoft Windows documentation about security policies and user privileges.
Defining the Service User Account
Identify an existing account, or create a new one, that the management server service and action server service on each computer where you install these items will use to access system resources. You can use a local account on the computer where the management server service or action server service is running; however, this may not have access to network resources. Instead, you could use an Active Directory account.
The account does not have to be an Administrator account, but it should be a member of the Administrators group on the computer where the management server service and action server service are installed. Additionally, the account does not have to be a domain Administrator.
Granting Authentication to the Service User Account
Because Opalis Integration Server uses services to operate, the account that you identify for use by the Management service and Action service must have the Log on as a Service user right assigned to it. You can use Active Directory Group Policy to grant authentication to the service user account, or if you are using a local account, you can assign this right using the Local Group Policy Editor (GPEDIT.MSC) on the computer.
To grant authentication to the Service User account
In the Local Group Policy Editor, navigate to Local Computer Policy > Computer Configuration > Security Settings > Local Policies > User Rights Assignment > Log on as a service and add the service user account.
Verify that the account is not included in the Deny logon as a service user right located at Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Deny logon as a service.
Add the service user account to the Act as part of the Operating System right, located at Local Computer Policy > Computer Configuration > Security Settings > Local Policies > User Rights Assignment > Act as part of the Operating System.
Granting Authorization to the Action Server Service User Account
Any remote computers on which the action server service performs operations must allow the ability for the service user account to access information.
To grant authorization to the Action Server Service user account
- Verify that the user account that you have assigned to the action server service has permission on the remote computer to perform read and write operations.
Some objects in Opalis Integration Server enable you to use impersonated credentials for performing operations on remote computers. In the Properties dialog of objects that use impersonated credentials, you will be asked to provide the credentials for the remote computer. The credentials will be supplied to the remote computer when the object runs. However, if impersonation settings on the remote computer use non-default settings, this behavior may not function as expected.
Windows Firewall
Enable the following firewall rules as they apply to your operating system and deployment configuration.
Windows Firewall with Advanced Security for Windows Server 2008 and 2008 R2
Windows Firewall with Advanced Security is enabled by default on all Windows Server 2008 and 2008 R2 computers, and blocks all incoming traffic unless it is a response to a request by the host (solicited traffic) or it is specifically allowed (that is, a firewall rule has been created to allow the traffic). You can explicitly allow traffic by specifying a port number, application name, service name, or other criteria by configuring Windows Firewall with Advanced Security settings.
If you are running Windows Server 2008 or 2008 R2, enable the following rules to allow all Monitor Event activities function correctly:
Windows Management Instrumentation (Async-In)
Windows Management Instrumentation (DCOM-In)
Windows Management Instrumentation (WMI-In)
Automated Deployment of Action Servers or Clients
When action servers or clients need to be installed behind a firewall, specific firewall rules are required between the deployment manager and the remote computers that are used to deploy action servers or clients. An additional rule is required for the remote connection between the client and the management server to enable the Opalis management service to accept remote connections. If you are using the Monitor WMI object, the action server requires a special firewall rule on the computer that will use PolicyModule.exe.
Enable the following firewall rules as they apply to your operating system.
Firewall Rule between the Client and the Management Server (the Computer running OpalisManagementService)
Operating system | Firewall rule |
---|---|
64-bit |
%ProgramFiles(x86)%\Opalis Software\Opalis Integration Server\Management Service\OpalisManagementService.exe |
32-bit |
%ProgramFiles%\Opalis Software\Opalis Integration Server\Management Service\OpalisManagementService.exe |
Firewall Rules between the Deployment Manager and the Remote Computers
Operating system | Firewall rules |
---|---|
Windows Server 2008 or 2008 R2 |
|
Windows Server 2003 |
|
Firewall Rule between the Action Server and the Server that will use PolicyModule.exe
Operating system | Firewall rule |
---|---|
64-bit |
%ProgramFiles(x86)%\Opalis Software\Opalis Integration Server\Action Server\PolicyModule.exe |
32-bit |
%ProgramFiles%\Opalis Software\Opalis Integration Server\Action Server\PolicyModule.exe |
For more information aboutadding firewall rules, see Add or Edit a Firewall Rule (https://go.microsoft.com/fwlink/?LinkID=201019).